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(57) ABSTRACT 

In an issuing subsystem is stored a first set of authorization 
data including information on matching between an operator 
and a group the operator belongs to, and information on 
matching between a group and commands authorized for 
operators belonging to the group. As an operator enters a 
command, the issuing subsystem references the first set of 
authorization data, judges whether or not the operator is to 
be authorized to execute the command and, if it is judged 
that he or she is to be authorized, augments the command 
with information identifying the group to which the operator 
belongs, the augmented command being transmitted to an 
executing subsystem. The executing subsystem stores a 
second set of authorization data including information on 
matching between a group and commands authorized for 
execution in response lo an execution request from the 
group. The executing subsystem, upon receiving a transac- 
tion command from the issuing subsystem, references the 
second set of authorization data, judges whether or not the 
command is to be authorized for execution in response to the 
request from the group whose command is augmented with 
identifying information and, if it is judged that it is to be 
authorized, executes the command. 

23 Claims, H Drawing Sheets 
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NETWORK SYSTEM AND METHOD FOR 
LIMITING THE EXECUTION OF 
COMMANDS 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention relates to a network system and a 
method to limit, in a network system consisting of a plurality 
of computer systems with communication lines, the execu- 
tion of transaction commands given from one to another of 
the plurality of computer systems. 

2. Description of the Related Art 
In a network system consisting of a plurality of computer 

systems connected via a wide area network or the like, for 
instance, decentralized data management system, computer 
systems are often installed correspondingly to groups using 
the respective computer systems. The "group" in this context 
may be a group of any size, ranging from a large organiza- 
tion such as a corporation to a small one such as a depart- 
ment or a section in a corporation. Conceivable ways of 20 
being "installed corresponding to groups** include installa- 
tion of one computer system for each group, installation of 
one computer system for a plurality of groups, and instal- 
lation of a plurality of computer systems for one group. 

In such a network system, where information registered 
with the computer system of one group is to be referenced 
and updated from the computer system of another group, if 
every operator is allowed to perform such a transaction with 
no limitation at all, the reliability of data stored on the 
network may be hurt if any operator updates or otherwise 
manipulates any data wrongly either intentionally or by 
mistake. 

Therefore, to avoid such trouble, it is necessary to supple- 
ment each transaction command with authority information 
indicating which operator may execute that particular trans- 
action command. 

Incidentally, conceivable methods to attach authority 
information to transaction commands include having each 
computer system manage authority information on operators 
of all the groups. This method, however, presupposes that all 
computer systems possess data needed for authorization of 
operations (hereinafter called "authorization data"), and 
accordingly if authorization data possessed by one computer 
system is augmented or altered, that augmentation and 
alternation will have to be reflected in all other computer 
systems. Therefore, this method requires communication to 
have the augmentation and alteration reflected in the other 
computer systems, resulting in a problem of consuming 
more of system resources and thereby inviting a drop in the 
overall system performance. 

Methods according to the prior art for setting program 
execution authority (authority for command use) in a net- 
work system include one to control execution of transaction 
jobs on a group-by-group basis in a plurality of computer 
systems, which is disclosed in the Japanese Patent Applica- 
tion Laid-open No. Hei 7-219899. However, the technique 
disclosed by this patent application requires that, where a 
group authorized to execute transaction jobs is to be regis- 
tered with an execution authority library, the registration is 
classified by the computer ID. It also requires setting of ?o 
information on the opposite computer to be authorized for 
execution, type of authorization and the like for each set of 
program data, resulting in complexity of operation. 

SUMMARY OF THE INVENTION 

An object of the present invention, therefore, is to provide 
network system and a method capable of limiting the 
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execution of transaction commands entered from one com- 
puter system to another without requiring communication to 
achieve identify authorization data held by the computer 
systems. 

According to an aspect of the present invention, there is 
provided a network system including a first computer 
system, a second computer system, and communication lines 
to connect the first and second computer systems, 
the first computer system comprising: 

a first memory for storing a first set of authorization 
data including information on matching between an 
operator and a group the operator belongs to, and 
information on matching between a group and com- 
mands authorized for operators belonging to the 
group to execute; 
a first authorization unit for referencing, when a com- 
mand to be executed by the second computer system 
is entered by an operator, the finst set of authorissation 
data and judging whether or not the operator is to be 
authorized to execute the command; and 
a first execution unit for augmenting, if the first autho- 
rization unit judges that the operator is to be autho- 
rized to execute the command, the command with 
information to identify the group to which the opera- 
tor belongs, and transmitting the augmented com- 
mand to the second computer system as a request 
from the group to execute the command; and 
the second computer system comprising: 

a second memory for storing a second set of authori- 
zation data including information on matching 
between a group and commands authorized for 
execution in response to an execution request from 
the group; 

a second authorization unit for referencing, when the 
command is received from the first computer system, 
the second set of authorization data and judging 
whether or not the command is to be authorized for 
execution in response to the execution request from 
the group whose command is augmented with iden- 
tifying information; and 
a second execution unit for executing the command, if 
the second authorization unit judges that the com- 
mand is to be authorized for execution, in response 
to the execution request from the group. 
According to another aspect of the present invention, in 
the foregoing network system, 
the second set of authorization data further includes 
information on matching between a group and data to 
which access is to be authorized in response to the 
execution request from the group; 
the second authorization unit references the second set of 
authorization data and judges whether or not the data to 
be accessed by the command are to be allowed access 
to in response to the request from the group whose 
command is augmented with identifying information; 
and 

the second execution unit, if the second authorization unit 
judges that the data may be allowed access to in 
response to the request from the group, executes the 
command. 

According to still another aspect of the present invention, 
in the foregoing network system, 

the first execution imit further augments the command 
with operator identifying information and transmits it 
to the second computer system; 

the second memory further stores a list of unauthorized 
operators matching commands and operators unautho- 
rized to execute the respective commands; 



09/07/2003, EAST Version: 1.04,0000 



us 6,574,656 Bl 



the second authorization unit refers to the list of unau- 
thorized operators and judges whether or not the opera- 
tor whose command is augmented with identifying 
information is to be authorized to execute the com- 
mand; and 

the second execution unit, if the second authorization unit 
judges that the operator is not be authorized to execute 
the command, does not execute the command. 

According to still another aspect of the present invention, 
there is provided a method to limit the execution of 
commands, comprising: 

a first registration step to register with a first computer 
system a first set of authorization data including infor- 
mation on matching between an operator and a group 
the operator belongs to, and information on matching 
between a group and commands authorized for opera- 
tors belonging to the group to execute; 

a second registration step to register with a second com- 
puter system a second set of authorization data includ- 
ing information on matching between a group and 
commands authorized for execution in response to an 
execution request from the group; 

a first authorization step to reference, when a command to 
be executed by the second computer system is entered 
by an operator into the first computer system, the first 
set of authorization data and to judge whether or not the 
operator is to be authorized to execute the command; 
and 

a first execution step to augment, if it is judged at the first 
authorization step that the operator is to be authorized 
to execute the command, the command with informa- 
tion to identify the group to which the operator belongs, 
and to transmit the augmented command from the first 
computer system to the second computer system as a 
request from the group to execute the command; and 

a second authorization step to reference, when the second 
computer system receives the command from the first 
computer system, the second set of authorization data 
and to judge whether or not the command is to be 
authorized for execution in response to the execution 
request from the group whose command is augmented 
with identifying information; and 

a second execution step to have the command executed by 
the second computer system, if it is judged at the 
second authorization step that the command is to be 
authorized for execution, in response to the execution 
request from the group. 

According to still another aspect of the present invention, 
in the foregoing method, 

the second set of authorization data further includes 
information on matching between a group and data to 
which access is to be authorized in response to the 
execution request from the group; 

at the second authorization step it is judged whether or not 
the data to be accessed by the command are to be 
allowed access to in response to the request from the 
group whose command is augmented with identifying 
information; and 

at the second execution step, if it is judged at the second 
authorization step that the data may be allowed access 
to in response to the request from the group, the 
command is executed. 

According to still another aspect of the present invention, 
in the foregoing method, 

at the first execution step, the command is further aug- 
mented with operator identifying information and 
transmitted to the second computer system; 
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at the second regisu-ation step, a Usl of unauthorized 
operators matching commands and operators unautho- 
rized to execute the respective commands is further 
registered; 

at the second authorization step, the list of unauthorized 
operators is referenced, and it is judged whether or not 
the operator whose command is augmented with iden- 
tifying information is to be authorized to execute the 
command; and 

at the second execution step, if it is judged at the second 
authorization step that the operator is not be authorized 
to execute the command, the command is not executed. 

According to still another aspect of the present invention, 
there is provided a storage medium recording thereon a 
program enabling: 

a first computer system to execute first registration pro- 
cessing to register a first set of authorization data 
including information on matching between an opera- 
tor and a group the operator belongs to, and information 
on matching between a group and commands autho- 
rized for operators belonging to the group; 

a second computer system to execute second registration 
processing to register a second set of authorization data 
including information on matching between a group 
and commands authorized for execution in response to 
an execution request from the group; 

the first computer system to execute first authorization 
processing to reference, when a command to be 
executed by the second computer system is entered by 
an operator, the first set of authorization data and to 
judge whether or not the operator is to be authorized to 
execute the command; 

the first computer system to execute first execution pro- 
cessing to augment, if it is judged by the first authori- 
zation processing that the operator is to be authorized 
to execute the command, the command with informa- 
tion to identify the group to which the operator belongs, 
and to transmit the augmented command to the second 
computer system as a request from the group to execute 
the command; 

the second computer system to execute second authori- 
zation processing to reference, when the command is 
received from the first computer system, the second set 
of authorization data and to judge whether or not the 
command is to be authorized for execution in response 
to the execution request from the group whose com- 
mand is augmented with identifying information; and 

the second computer system to execute second execution 
processing to execute the command, if it is judged by 
the second authorization prodessing that the command 
is to be authorized for execution, in response to the 
execution request from the group. 

According to still another aspect of the present invention, 
in the foregoing recording medium, 

the second set of authorization data further includes 
information on matching between a group and data to 
which access is to be authorized in response to the 
execution request from the group; 

by the second authorization processing it is judged 
whether or not the data to be accessed by the command 
are to be allowed access to in response to the request 
from the group whose command is augmented with 
identifying information; and 

by the second execution processing, if it is judged by said 
second authorization processing that the data may be 
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allowed access to in response to the request from the 
group, the command is executed. 

According to still another aspect of the present invention, 
the foregoing recording medium, 

in the first execution processing, the command is further ^ 
augmented with operator identifying information and 
transmitted to the second computer system; 

in the second registration processing, a list of unautho- 
rized operators matching commands and operators 
unauthorized to execute the respective commands is 
further registered; 

in the second authorization processing, the list of unau- 
thorized operators is referenced, and it is judged 
whether or not the operator whose command is aug- 
mented with identifying information is to be authorized 
to execute the command; and 

in the second execution processing, if the second autho- 
rization unit judges that the operator is not be autho- 
rized to execute the command, the command is not 20 
executed. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Other features and advantages of the invention will 
become apparent from the detailed description hereunder, 25 
when taken in conjunction with the accompanying drawings, 
wherein: 

FIG. 1 is a block diagram illustrating the configuration of 
a first preferred embodiment of the present invention; 

30 

FIG. 2 is a flow chart showing the operations of an issuing 
subsystem to register authorization data in the first embodi- 
ment of the invention; 

FIG. 3 is a flow chart showing the operations of an 
executing subsystem to register authorization data in the first 35 
embodiment of the invention; 

FIG. 4 is a flow chart showing the operations of an issuing 
subsystem to perform authorization in the first embodiment 
of the invention; 

FIG. 5 is a flow chart showing the operations of an 40 
executing subsystem to perform authorization in the first 
embodiment of the invention; 

FIG. 6 is a flow chart showing details of the operations of 
an issuing subsystem to perform authorization in the first 
embodiment of the invention; 

FIG. 7 is a block diagram illustrating the configuration of 
a second preferred embodiment of the present invention; 

FIG. 8 is a block diagram illustrating the configuration of 
a third preferred embodiment of the present invention; and 

FIG. 9 is a flow chart showing the operations of an 
executing subsystem in the third embodiment of the inven- 
tion. 

DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENTS 

A first embodinient of the present invention will be 
described in detafl below with reference to drawings. 

Referring to FIG. 1, a network system, which is a pre- 
ferred embodiment of the invention, consists of subsystems 60 
100 and 300 connected by a communication line 200. 
Although only two subsystems are shown in FIG. 1, the 
number of subsystems is not limited to two. Furthermore, in 
this embodiment, the subsystem 100 is supposed to be a 
subsystem to issue transaction commands (hereinafter called 65 
"issuing subsystem"), and the subsystem 300, a subsystem 
to execute transaction commands (hereinafter "executing 



45 



subsystem"). However, whether any one of subsystems is to 
issue or to execute transaction commands is determined in 
its relationship to other subsystems. Therefore, in practical 
administration, each of the subsystems constituting a net- 
work system can either be an issuing subsystem or an 
executing subsystem. 

As illustrated, the subsystem 100 is provided with an 
authorization data terminal 110 to enter authorization data, 
an execution server 120 to perform execution control, an 
authorization server 130 to register authorization data 
entered from the authorization data terminal 110 and to 
perfonn checking with the authorization data, and a trans- 
action terminal 140 to enter transaction commands. 

Further the subsystem 300 is provided with an authori- 
zation data terminal 310, an execution server 320, authori- 
zation server 330 and a transaction terminal 340, each 
having a configuiration similar to its counterpart in the 
subsystem 100. 

In FIG. 1, only characteristic parts of the configuration of 
this embodiment are shown, but the illustration of other 
general aspects is dispensed with. 

The authorization data terminal 110 is further provided 
with, a communication unit 111 for transmitting and receiv- 
ing data, an input unit 112 for entering authorization data, 
and a the display xtnii 113 for displaying data. The commu- 
nication unit 111 is realized with an interface suitable for 
communication with the execution server 120, the input unit 
112, with a keyboard or a mouse for instance, and the display 
unit 113, with a usual display device for example. Each of 
the communication unit 311, the input unit 312 and the 
display unit 313 constituting the authorization data terminal 
310 has a configuration similar to its counterpart in the 
authorization data terminal 110. 

The execution server 120 is provided with a decision unit 
121 for controlling the execution of commands, an execu- 
tion unit 122 for actually processing commands, and a 
communication unit 123. The decision unit 121 and the 
execution unit 122 are realized with, for instance, a CPU 
under programmed control and a RAM or some other 
internal memory, and the communication unit 123 is realized 
with an interface suitable for communication with the autho- 
rization data terminal 110, the authorization server 130 and 
the transaction terminal 140. In the execution server 320, a 
decision unit 321, an execution unit 322 and a communica- 
tion unit 323 have configurations similar to their respective 
counterparts in the execution server 120. 

The authorization server 130 is provided with a data 
storage unit 131 for keeping authorization data and a com- 
munication unit 132. The data storage unit 131 is realized 
with, for instance, a magnetic disk apparatus, a photomag- 
netic disk apparatus or some other external memory, and the 
communication unit 132, with an interface suitable for 
communication with the execution server 120. The autho- 
rization server 330 is provided with a data storage unit 331 
and a communication unit 332, each having a configuration 
similar to its counterpart in the authorization server 130. 

The transaction terminal 140 is provided with a commu- 
nication unit 141, an input unit 142 for entering commands 
and a display unit 143 for displaying the results of command 
execution and the like. The communication unit 141 is 
realized with an interface suitable for communication with 
the execution server 120, the input unit 142, with a keyboard 
or a mouse, for instance, and the display unit 143, with a 
display apparatus for example. The transaction terminal 340 
is provided with a communication unit 341, an input unit 
342 and a display unit 343 configured similarly to their 
respective counterparts in the transaction terminal 140. 
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In the foregoing configuration, the subsystems 100 and 
300 are installed corresponding to groups situated in posi- 
tions geographically distant from each other. In the context 
of the present invention as well, the "group" may be a group 
of any size, ranging from a large organization such as a 5 
corporation to a small one such as a department or a section 
in a corporation. Conceivable ways of being "installed 
corresponding to groups" include installation of one com- 
puter system for each group, installation of one computer 
system for a plurality of groups, and installation of a lO 
plurality of computer systems for one group. 

Further in each of the subsystems 100 and 300, there may 
be a plurahty each of authorization data terminals 110 and 
310 and transaction terminal 140 and 340. Thus in this 
embodiment, even if a plurahty of transaction terminals 140 15 
or 340 to perform prescribed transactions exist in one group 
(the subsystem 100 or 300), one authorization server 130 or 
330 can manage operator authorization data. 

Servers and terminals in each subsystem are realized with 
personal computers, work stations or some other computer 
systems. The functions of each server or terminal is realized 
by the control of the data processing unit of the computer 
system by a computer program. The computer program is 
provided stored, as illustrated, in a magnetic disk, an optical 
disk, a semiconductor memory, or some other usual storage 
medium 400. The authorization data terminal 110 and the 
transaction terminal 140, or the authorization data terminal 
310 and the transaction terminal 340, may consist of physi- 
cally the same computer system. 

Next will be described the operations of this embodiment 
with reference to flow charts of FIG. 2 to FIG. 5. The 
operations of this embodiment consist of operations to 
register authorization data and operations to authorize a 
service command in the computer system of another group, 
entered by an operator. 

First will be described operations to register authorization 
data with reference to FIG. 2 and FIG. 3. As the subsystem 
100 is an issuing subsystem for transaction commands and 
the subsystem 300, an executing subsystem for transaction 
commands, each subsystem registers authorization data as 
its role requires. ^ 

As a system manager belonging to the group for which the 
subsystem 100 is installed enters authorization data using 
the input unit 112 and the display unit 113 of the authori- 
zation data terminal 110 (step 201), the authorization data 
terminal 110 transmits the authorization data to the autho- 
rization server 130 using the communication unit 111 (step 
202), The authorization data registered here with the sub- 
system 100 include the operator name of an operator name""5o 
authorized to log on the subsystem 100, a password, infor- 
mation on matching between the group name of the group 
that operator belongs to and information on matching 
between the command name of a transaction command and 
the group name of a group authorized to execute that 55 
transaction command. 

The authorization server 130, upon receiving from the 
communication unit 132 authorization data transmitted from 
the authorization data terminal 110, registers the authoriza- 
tion data with the data storage unit 131 (step 203). 60 

Or when a system manager belonging to the group for 
whom the subsystem 300 is installed enters authorization 
data using the input unit 312 and the display unit 313 of the 
authorization data terminal 310 (step 301), the authorization 
data terminal 310, using the communication unit 311, trans- 65 
.mits the authorization data to the authorization server 330 
(step 302). The authorization data registered herewith the 
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subsystem 300 include information on matching between the 
command name of a transaction command registered with 
the subsystem 100 and the group name of a group authorized 
to execute that transaaion command and information on 
matching between the group name of a group authorized to 
use the subsystem 100 and the group name of a group having 
an authority equal to that group in the subsystem 300. The 
authorization data also include, where the transaction com- 
mand is to access a prescribed set of data, information on 
matching between the data and the group name of a group 
authorized to access the data. 

The authorization server 330, upon receiving from the 
communication unit 332 the authorization data transmitted 
from the authorization data terminal 310, registers the autho- 
rization data with the data storage unit 331 (step 303). This 
completes the registration of the authorization data. 

Next, will be described authorization operations where an 
operator of the group for which the subsystem 100 is 
installed has entered from the transaction terminal 140 an 
instruction to execute a transaction command on the sub- 
system 300 with reference to FIG. 4 and FIG. 5. 

The instruction to execute the transaction command 
entered by the operator is transmitted from the transaction 
terminal 140 to the execution server 120 via the communi- 
cation unit 141 (steps 401, 402). The execution server 120, 
accepting the instruction to execute the transaction 
command, inquires of the authorization server 130 to check 
whether or not the operator is authorized to log on the 
subsystem 100 (including a check to see whether or not the 
operator is authorized to execute that particular transaction 
command (step 403). 

If the authorization server 130 judges that the operator is 
authorized to log on the subsystem 100, the execution server 
120 will send the transaction command to the execution 
server of the subsystem 300 via the communication line 200 
(steps 404, 405). On this occasion, the transaction command 
is augmented with the group name of the group the operator 
belongs to (hereinafter this augmented group name will be 
called the "issuing operator group name"). Or, if the autho- 
rization server 130 judges that the operator is not authorized 
to execute the transaction command, error processing, such 
as displaying an error message at the authorization data 
terminal 110, will take place and the processing will be 
completed (steps 404, 406), ^ 

The execution server 320 of the subsystem 300 inquires of 
the authorization server 330 whether the issuing operator 
group name added to the transaction command sent from the 
subsystem 100 represents a group authorized to use that 
particular transaction command (steps 501, 502). If the 
authorization server 330, as a result of its checking, autho- 
rizes the group to which the operator belongs to use the 
transaction command, the execution server 320 will execute 
the traiisaction command (steps 503, 504), and returns the 
result of execution to the subsystem 100 (step 505). If the 
authorization server 330 does not authorize the group to 
which the operator belongs to use the transaction command, 
the execution server 320 does not execute the transaction 
command, and notifies the subsystem 100 of its non- 
execution as the result of execution (step 505). Then error 
processing, such as displaying an error message at the 
authorization data terminal 110, will take place and the 
processing will be completed. 

As described so far, in this embodiment, authorization of 
an operation to use a transaction command is accomplished 
by a transaction command issuing subsystem. If the trans- 
action command is a command to be executed in some other 
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subsystem, the transaction command is augmented with an having a configuration similar to its counterpart in the 

issuing operator group name, i.e. the operator name is subsystem 100. 

replaced with the operator group name, and transmitted to Iq piG. 7. only characteristic parts of the configuration of 

the executing subsystem. The executing subsystem can this embodiment are shown, but the illustration of other 
check the authonty to use the transaction command on the 5 general aspects is dispensed with. 

basis of the issuing operator group name added to the j^is embodiment, each of the subsystems 100 and 300 

transaction command. ^ provided with a dupUcate of the authorization server 130 

Therefore, where an operator is to be added or some other or 330, respectively. The registered contents of duplicate 

change to be made at the executing subsystem, there is no authorization servers 130-A and 330-A are always kept 
need to shift authorization data pertaining to the addition or lo identical with the regular authorization servers 130 and 330, 

the like between subsystems. Thus, even if there is such an respectively. Thus, once a new set of authorization data is 

addition of the like, the authority to execute the transaction registered with the authorization server 130 or 330, the same 

command can be checked without having to notify the other set of authorization data is immediately registered with the 

subsystem of the addition or the like. authorization server 130-A or 330-A, respectively. 

Incidentally, while it is supposed in this embodiment to when the decision unit 121 or 321, respectively, of the 

add, when a transaction command is to be transmitted to execution server 120 or 320 is to inquire about authorization 

another subsystem, the group name of the group to which the data, the duplicate authorization server 130-A or 330-A 

operator belongs, i.e. the issuing operator group name is to performs authorization, depending on conditions. For 

be added to the transaction command, an alternative way is instance, if the authorization server 130 or the authorization 

to arrange m advance that the name of the subsystem server 330 is not operating normally, the normally operating 

(heremafter called the "subsystem name") should always be duplicate authorization server 130-A or 330-A wiU take 

added to the operator name or the terminal name and, when charge of the processing on its behalf 

sending a transaction command from the subsystem 100 to since other aspects of configuration and operations are 

the subsystern 300, the operator name or the termmal name ^^^^ ^^^^ foregoing first embodiment, their 
should be added in place of the issuing operator group name. 25 ^^^^^p^j^^ ^ dispensed with here. 

In this case, the subsystem 300 can use the subsystem ^^^^-^^^ ^ ^^^^^ ^ ^^^^ ^^^^^^ 

name as the group name m reg^tenng authorization da a ^^^^ ^j^^ ^^^^^ .^^^^^^^ ^^^^/^^^ 

with the authonzation server 330. Then the authonty to . • r^r^ . ^ , 

execute would be recognized on a subsystera-by-subsystem ^^^^rrmg to FIG. 8, the network systein of this enabodi- 

30 ment consists of subsystems 100 and 300 connected by a 

jr , J. ^ J • . V . communication line 200. Although only two subsystems are 

It a transaction command is entered into the subsystem , . ™^ o u ^ w . - /i- 

inn • * * 41, * J -11 u shown in FIG. 8, the number of subsystems IS not hmiled to 

100 in this state, the transaction command wUl be aug- ^^^^ ^^^^^ ^^^^ ^ 

mented with an operator name or a terminal name when it is ^ •„ t . , ^ • 

to be transmitted from the subsystem 100 to the subsystem ^ illustrated, the subsystem 100 is provided with an 

300. The execution server 320 of the subsystem 300. having authorization data terminal 110 for registenng authonzation 

received the transaction command, extracts the subsystem ^^ execution server 120 for performing execution 

name of the subsystem 100 from the operator name of the <^oni^ol an authorization server 130 for checking 

operator having entered the transaction command, added to authorization, and a transaction termmal 140 for entering 

the received transaction command or from the temiinal transaction commands. 

name of the terminal into which the transaction command Further the subsystem 300 is provided with an authori- 

has been entered, and inquires of the authorization server nation data terminal 310, an execution server 320, authori- 

330 about the authority to execute on the basis of the nation server 330 and a transaction tenninal 340, each 

extracted subsystem name. The authorization server 330 having a configuration similar to its counterpart in the 

checks the authority to execute, and returns the result of the subsystem 100. 

check to the execution server 320. In FIG. 8, only characteristic parts of the configuration of 

In this manner as well, in a network system connecting a this embodiment are shown, but the illustration of other 

plurality of subsystems, execution authority can be con- general aspects is dispensed with. 

trolled for each individual transaction command with respect In this embodiment, as illustrated in FIG. 8, a data storage 

to each subsystem. unit 331 of the authorization server 330 of the subsystem 

Next will be described in detail a second preferred 300 stores a list of unauthorized operators 333 in which are 

embodiment of the present invention with reference to registered the operator names of operators not authorized to 

drawings. execute commands whose processing in the subsystem 300 

Referring to FIG. 7. the network system of this cmbodi- ^ requested, 
ment consists of subsystems 100 and 300 connected by a 55 Operations of this embodiment will be described with 

communication line 200. Although only two subsystems are reference to FIG. 9. 

shown in FIG. 7, the number of subsystems is not limited to In this embodiment, the operator names of operators who 

what is shown here. are not authorized to execute commands with the subsystem 

As illustrated, the subsystem 100 is provided with an 300 are entered in advance from the authorization data 
authorization data terminal 110 for registering authorization 60 terminal 310 of the subsystem 300 (step 901), and the 

data, an execution server 120 for performing execution operator names are registered into the list of unauthorized 

control, an authorization server 130 for checking operators 333 stored in the data storage unit 331 of the 

authorization, and a transaction terminal 140 for entering authorization server 330 (steps 902, 903). 

transaction commands. The execution server 120 transmits a transaction corn- 
Further the subsystem 300 is provided with an authori- 65 mand augmented with a group name and an operator name 

zation data terminal 310, an execution server 320, authori- to the execution server 320, and the authorization server 

zation server 330 and a transaction terminal 340, each 330, upon receiving an inquiry from the decision unit 321 of 
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the execution server 320 about command execution author- 
ity (steps 1001, 1002), first references the list of unautho- 
rized operators 333 and, if operator A is found among 
unauthorized operator names, will return to the decision unit 
321 the authorization result that A is not authorized to 
execute transaction commands (step 1003). Since subse- 
quent operations (step 1004 to step 1006) are the same as the 
authorization operations of the subsystem 300 (step 503 to 
step 505) in the first embodiment illustrated in FIG. 5, their 
description is dispensed with here. 

By introducing the list of unauthorized operators which 
individually specifies operators whose request for the execu- 
tion of transaction commands are not to be complied with, 
it is made possible not to authorize command execution in 
the subsystem 300 by operator A, who is in a group whose 
execution has been authorized by error in the subsystem 100, 
resulting in ability to limit the use of commands more 
elaborately. 

Next will be described operations of the foregoing 
embodiment with reference to a specific example. 

First will be described registration of authorization data in 
the subsystem 100. The system manager of the subsystem 
100, using the input unit 112 at the authorization data 
terminal 110, enters information on an operator to be autho- 
rized to log on, the usable type of command, the range of 
accessible data, and other authorization data (step 201 in 
FIG. 2) and, after confirming the input information on the 
display unit 113, transmits it to the authorization server 130 
with the communication unit 111 (step 202 in FIG. 2). 

The authorization server 130, after checking authorization 
data sent from the authorization data terminal 110, registers 
them with the data storage unit 131 operator by operator and 
group by group (step 203 in FIG. 2). The registered autho- 
rization data in the authorization server 130 of the subsystem 
100 are supposed to have the following contents. 

Registered authorization data 

Operator information 

Operator A: Group A-l@100 
Operator B Group B-l@100 

Command authority 

Group A-l@100 Command a@100, 

Command b@300 

Group B-l@100 Command c@100 

In the foregoing registration authorization data, operator 
information indicates that operator A belongs to group 
A-l@100 matching the subsystem 100, and operator B, to 
group B-l@100 matching the subsystem 100, It is further 
indicated that the command authority covers the execution 
by group A-l@100 of command a@100 to access data 
stored in the subsystem 100 and command b@300 to access 
data stored in the subsystem 300, and that by group 
B-l@100 of command c@100 to access data stored in the 
subsystem 100. 

Next will be described the registration of authorization 
data in the subsystem 300. The system manager of the 
subsystem 300, using the input unit 312 at the authorization 
data terminal 110, enters information on the usable type of 
command for the operator group of the subsystem 100, the 
range of accessible data, and other authorization data (step 
301 in FIG. 3) and, after confirming the input information on 
the display unit 313, transmits it to the authorization server 
330 with the communication unit 311 (step 302 in FIG. 3). 

The authorization server 330, after checking authorization 
data sent from the authorization data terminal 310, registers 
them with the data storage unit 331 operator by operator and 
group by group (step 303 in FIG. 3). The registered autho- 
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rization data in the authorization server 330 of the subsystem 
300 are supposed to have the following contents. 

Registered authorization data 

Command authority 

Group A-2@400 Command a@300 
Command b@300 

Data access authority 

Group b.2@300 Data d-300. 

Group dependence relationship 
Group A-l@100 Group A-2@300 
Group b-2@300 

The command authority in the foregoing registered autho- 
rization data indicates that group A-2@300 is authorized to 
execute command a@300 and command b@300 to access 
data stored in the subsystem 300. The group dependence 
relationship indicates that group A-l@100 matching the 
subsystem 100 has comparable authority what is assigned to 
group A-2@300 and group b-2@300 in the subsystem 300 

Next will be described, with reference to the flow chart of 
FIG. 6, the authorization operations which take place when 
operator A belonging to group A-l@100 matching the 
subsystem 100 is to access data stored in the subsystem 300. 

As operator A, to log on the subsystem 100, enters such 
log on information as the operator name and password using 
the input unit 142 and the display unit 143 of the execution 
terminal 140 (step 601), the transaction terminal 140 trans- 
mits the log on information to the execution server 120, 
using the communication unit 141 (step 602). 

A decision unit of the execution server 120, upon receiv- 
ing with the communication unit 123 the log-on information 
entered into the transaction terminal 140, inquires of the 
authorization server 130 whether or not the log-on by the 
pertinent operator is authorized (step 603). 

The authorization server 130, upon receiving with the 
communication unit 132 the log-on information sent from 
the execution server 120, compares the log-on information 
with the authorization information registered with the data 
storage unit 131, and judges whether or not operator A is 
authorized to log on (step 604). The result of judgment is 
transmitted to the execution server 120, using the commu- 
nication unit 132 (step 60S). 

The execution server 120 transmits to the transaction 
terminal 140 the result of authorization received from the 
authorization server 130 (step 606), and the transaction 
terminal 140 displays the result of authorization on the 
display unit 143 (step 607). Operator A receives the result of 
log-on authorization by visually perceiving the displayed 
result on the display unit 143. Here, since operator A is 
registered in the operator information among the registration 
authorization data of the authorization server 130, the result 
of authorization is that his or her log-on is authorized. 

Next supposed that operator A has entered from the input 
unit 142 a command b@300 to access data d-300 in the 
subsystem 300 from the transaction terminal 140 (step 608). 
The transaction terminal 140, using the communication unit 
141, transmits the command to the execution server 120 
(step 609). 

When the execution server 120 receives the command 
b@300 sent from the transaction terminal 140, its decision 
unit 121 inquires of the authorization server 130 whether or 
not operator A is authorized to execute the command b@300 
(step 610). 

The authorization server 130, referencing the data storage 
unit 131, knows that operator A belongs to group A-l@100, 
and that group A-l@100 is authorized to execute command 
a@100 and command b@300, and judges that operator A is 
authorized to execute command b@300 (step 611). It returns 
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the acquired result of authorization to the execution server 
120 (step 612). 

In the execution server 120, the decision unit 121, upon 
receiving the result of authorization by the authorization 
server 130 via the communication unit 123, authorizes 
execution of the command b@300, and transmits a request 
for execution of the command b@300 to the subsystem 300 
via the communication line 200 (step 613). In doing so, it 
augments the request for command execution with group 
A-l@100 to which operator A belongs. 

In the subsystem 300, when the decision unit 321 of the 
execution server 320 receives the command b@300 and 
information on group A-l@100 from the communication 
lines 200 (step 501 in FIG. 5), it inquires of the authorization 
server 330 whether or not the combination of the command 
and the group is authorized for execution (step 502 in FIG. 
5), Here, as group A-l@100 has an authority which is 
granted to group A-2@300, and that group A-2@300 is 
authorized to use the command b@300, the resuh of autho- 
rization to permit execution is returned from the authoriza- 
tion server 330 to the execution server 320 (step 503 in EHG. 
5). 

Further, since group A-l@100 has an authority which is 
granted to group B-2@300 and that group B-2@300 is 
authorized to access data d-300, the decision unit 321 
authorizes execution of the command b@300, hands over 
the processing to the execution unit 322, and executes the 
command b@300 to access data d-300 (step 504 in FIG. 5). 
The result of execution of the command b@300 is trans- 
mitted to the execution server 120 of the subsystem 100, 
using the communication line 200 (step 505 in FIG, 5). 

Referring again to FIG. 6, the execution server 120 of the 
subsystem 100 receives the result of execution of the com- 
mand b@300 sent via the network 200 (step 614), and 
transmits the result of execution to the transaction terminal 
140 (step 615). The transaction terminal 140, upon receiving 
the result of execution of the command b@300, displays the 
result of execution on the display unit 143 (step 616). This 
enables operator A to check the result of entry of the 
command b@300. 

The present invention has been described so far with 
reference to some preferred embodiments thereof, the inven- 
tion is not necessarily restricted to the foregoing embodi- 
ments. 

As hitherto described, a network system and a method to 
limit the execution of commands according to the invention, 
as authorization of the operator having instructed the execu- 
tion of transaction command is accomplished by the issuing 
subsystem, there is no need for the authorization to be 
accomplished by the subsystem to execute the command. As 
a result, there is no need for communication to make 
authorization data held by all the subsystems identical, 
resulting in the advantages of reducing unnecessary con- 
sumption of system resources and avoiding performance 
deterioration of the system. 

Also, the invention, by giving authorization regarding 
transaction commands in the executing subsystem to each 
group to which operators belong, there is no need for 
communication between subsystems to make authorization 
data identical even if there is any addition or alteration of 
issuing subsystems of or operators to issue transaction 
commands unless no group is added or altered, resulting in 
another advantage of further simplifying the system man- 
agement. 

What is claimed is: 

1. A network system including a first computer system, a 
second computer system, and communication lines to con- 
nect said first and second computer systems, 
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said first computer system comprising: 

a first memory for storing a first set of authorization 
data including information on matching between an 
operator and a group the operator belongs to, and 
information on matching between a group and com- 
mands authorized for operators belonging to the 
group to execute; 

a first authorization unit for referencing, when a com- 
mand to be executed by said second computer sys- 
tem is entered by an operator, said first set of 
authorization data and judging whether or not the 
operator is to be authorized to execute the command; 
and 

a first execution unit for augmenting, if said first 
authorization unit judges that the operator is to be 
authorized to execute the command, the command 
with information to identify the group to which the 
operator belongs, and transmitting the augmented 
command to said second computer system as a 
request from the group to execute the command; and 
said second computer system comprising: 

a second memory for storing a second set of authori- 
zation data including information on matching 
between a group and commands authorized for 
execution in response to an execution request from 
the group; 

a second authorization unit for referencing, when the 
command is received from said first computer 
system, said second set of authorization data and 
judging whether or not the command is to be autho- 
rized for execution in response to the execution 
request from the group whose command is aug- 
mented with identifying information; and 

a second execution unit for executing the command, if 
said second authorization unit judges that the com- 
mand is to be authorized for execution, in response 
to the execution request from the group. 

2. A network system, as claimed in claim 1, wherein: 
said second set of authorization data further includes 

information on matching between a group and data to 
which access is to be authorized in response to the 
execution request from the group; 
said second authorization unit references said second set 
of authorization data and judges whether or not the data 
to be accessed by the command are to be allowed 
access to in response to the request from the group 
whose command is augmented with identifying infor- 
mation; and 

said second execution unit, if said second authorization 
unit judges that the data may be allowed access to in 
response to the request from the group, executes the 
command. 

3. A network system, as claimed in claim 1, wherein: 
said first execution unit further augments the command 

with operator identifying information and transmits it 
to said second computer system; 

said second memory further stores a list of unauthorized 
operators matching commands and operators unautho- 
rized to execute the respective commands; 

said second authorization unit refers to said list of unau- 
thorized operators and judges whether or not the opera- 
tor whose command is augmented with identifying 
information is to be authorized to execute the com- 
mand; and 

said second execution unit, if said second authorization 
unit judges that the operator is not be authorized to 
execute the command, does not execute the command. 
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4. A network system, as claimed in claim 1, wherein the 
operator that entered the command to be executed by the 
second computer system is an operator of the first computer 
system. 

5. A network system, as claimed in claim 4, wherein the 
identifying information augmented with the command, as 
received by the second authorization unit, does not include 
any information identifying the operator but rather only 
identifies the group that the operator of the first computer 
system is a member of. 

6. A method to limit the execution of commands, com- 
prising: 

a first registration step to register with a first computer 
system a first set of authorization data including infor- 
mation on matching between an operator and a group 
the operator belongs to, and information on matching 
between a group and commands authorized for opera- 
tors belonging to the group to execute; 

a second registration step to register with a second com- 
puter system a second set of authorization data includ- 
ing information on matching betweeo a group and 
commands authorized for execution in response to an 
execution request from the group; 

a first authorization step to reference, when a command to 
be executed by said second computer system is entered 
by an operator into said first computer system, the first 
set of authorization data and to judge whether or not the 
operator is to be authorized to execute the command; 
and 

a first execution step to augment, if it is judged at said first 
authorization step that the operator is to be authorized 
to execute the command, the command with informa- 
tion to identify the group to which the operator belongs, 
and to transmit the augmented command from said first 
computer system to said second computer system as a 
request from the group to execute the command; and 

a second authorization step to reference, when said second 
computer system receives said command is received 
from said first computer system, said second set of 
authorization data and to judge whether or not the 
command is to be authorized for execution in response 
to the execution request from the group whose com- 
mand is augmented with identifying information; and 

a second execution step to have the command executed by 
said second computer system, if it is judged at said 
second authorization step that the command is to be 
authorized for execution, in response to the execution 
request from the group. 

7. A method, as claimed in claim 6, wherein: 
said second set of authorization data further includes 

information on matching between a group and data to 
which access is to be authorized in response to the 
execution request from the group; 

at said second authorization step it is judged whether or 55 
not the data to be accessed by the command are to be 
allowed access to in response to the request from the 
group whose command is augmented with identifying 
information; and 

at said second execution step, if it is judged at said second 
authorization step that the data may be allowed access 
to in response to the request from the group, the 
command is executed. 

8. A method, as claimed in claim 6, wherein: 
at said first execution step, the command is further aug- 
mented with operator identifying information and 
transmitted to the second computer system; 
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at said second registration step, a list of unauthorized 
operators matching commands and operators unautho- 
rized to execute the respective commands is further 
registered; 

at said second authorization step, said list of unauthorized 
operators is referenced, and it is judged whether or not 
the operator whose command is augmented with iden- 
tifying information is to be authorized to execute the 
command; and 

at said second execution step, if it is judged at said second 
authorization step that the operator is not be authorized 
to execute the command, the command is not executed. 

9. A method, as claimed in claim 6, wherein the operator 
that entered the command to be executed by the second 
computer system is an operator of the first computer system. 

10. A method, as claimed in claim 9, wherein the identi- 
fying information augmented with the command, as 
received in the second authorization step, does not include 
any information identifying the operator but rather only 
identifies the group that the operator of the first computer 
system is a member of. 

11. A storage medium recording thereon a program 
enabling: 

a first computer system to execute first registration pro- 
cessing to register a first set of authorization data 
including information on matching between an opera- 
tor and a group the operator belongs to, and information 
on matching between a group and commands autho- 
rized for operators belonging to the group; 

a second computer system to execute second registration 
processing to register a second set of authorization data 
including information on matching between a group 
and commands authorized for execution in response to 
an execution request from the group; 

said first computer system to execute first authorization 
processing to reference, when a command to be 
executed by said second computer system is entered by 
an operator, said first set of authorization data and to 
judge whether or not the operator is to be authorized to 
execute the command; 

said first computer system to execute first execution 
processing to augment, if it is judged by said first 
authorization processing that the operator is to be 
authorized to execute the command, the command with 
information to identify the group to which the operator 
belongs, and to transmit the augmented command to 
said second computer system as a request from the 
group to execute the command; 

said second computer system to execute second authori- 
zation processing to reference, when the command is 
received from said first computer system, said second 
set of authorization data and to judge whether or not the 
command is to be authorized for execution in response 
to the execution request fi-om the group whose com- 
mand is augmented with identifying information; and 

said second computer system to execute second execution 
processing to execute the command, if it is judged at 
said second authorization processing that the command 
is to be authorized for execution, in response to the 
execution request from the group, 

12. A storage medium, as claimed in claim 11, wherein: 
said second set of authorization data further includes 

information on matching between a group and data to 
which access is to be authorized in response to the 
execution request from the group; 
by said second authorization processing it is judged 
whether or not the data to be accessed by the command 
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are to be allowed access to in response to the request 
from the group whose command is augmented with 
identifying information; and 
by said second execution processing, if it is judged by said 
second authorization processing that the data may be 
allowed access to in response to the request from the 
group, the command is executed. 

13. A storage medium, as claimed in claim 11, wherein: 
in said first execution processing, the command is further 

augmented with operator identifying information and 
transmitted to said second computer system; 

in said second registration processing, a list of unautho- 
rized operators matching commands and operators 
unauthorized to execute the respective commands is 
further registered; 

in said second authorization processing, said list of unau- 
thorized operators is referenced, and it is judged 
whether or not the operator whose command is aug- 
mented with identifying information is to be authorized 
to execute the command; and 

in said second execution processing, if it is judged by said 
second authorization processing that the operator is not 
be authorized to execute the command, the command is 
not executed. 

14. A group of storage media wherein said program, as 
claimed in claim 11, is divided into a plurality of portions, 
each of which is recorded on one of the plurality of record- 
ing media. 

15. A group of storage media wherein said program, as 
claimed in claim 12, is divided into a plurality of portions, 
each of which is recorded on one of the plurality of record- 
ing media. 

16. A group of storage media wherein said program, as 
claimed in claim 13, is divided into a plurality of portions, 
each of which is recorded on one of the plurality of record- 
ing media. 

17. A storage medium, as claimed in claim 11, wherein the 
operator that entered the command to be executed by the 
second computer system is an operator of the first computer 
system. 

18. Astorage medium, as claimed in claim 17, wherein the 
identifying information augmented with the command, as 
received by the second computer system and as processed by 
the second authorization processing, does not include any 
information identifying the operator but rather only identi- 
fies the group that the operator of the first computer system 
is a member of. 

19. A program embodied in electric signals, said program 
enabling: 

a first computer system to execute first registration pro- 
cessing to register a first set of authorization data 
including information on matching between an opera- 
tor and a group the operator belongs to, and information 
on matching between a group and commands autho- 
rized for operators belonging to the group; 

a second computer system to execute second registration 
processing to register a second set of authorization data 
including information on matching between a group 
and commands authorized for execution in response to 
an execution request from the group; 

said first computer system to execute first authorization 
processing to reference, when a command to be 
executed by said second computer system is entered by 
an operator, said first set of authorization data and to 
judge whether or not the operator is to be authorized to 
execute the command; 
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said first computer system to execute first execution 
processing to augment, if it is judged by said first 
authorization processing that the operator is to be 
authorized to execute the command, the command with 
information to identify the group to which the operator 
belongs, and to transmit the augmented command to 
said second computer system as a request from the 
group to execute the command; 

said second computer system to execute second authori- 
zation processing to reference, when the command is 
received from said first computer system, said second 
set of authorization data and to judge whether or not the 
command is to be authorized for execution in response 
to the execution request from the group whose com- 
mand is augmented with identifying information; and 

said second computer system to execute second execution 
processing to execute the command, if it is judged by 
said second authorization processing that the command 
is to be authorized for execution, in response to the 
execution request from the group. 

20. A program, as claimed in claim 19, wherein: 

said second set of authorization data further includes 
information on matching between a group and data to 
which access is to be authorized in response to the 
execution request from the group; 

by said second authorization processing it is judged 
whether or not the data to be accessed by the command 
are to be allowed access to in response to the request 
from the group whose command is augmented with 
identifying information; and 

by said second execution processing, if it is judged by said 
second authorization processing that the data may be 
allowed access to in response to the request from the 
group, the command is executed. 

21. A program, as claimed in claim 19, wherein: 

in said first execution processing, the command is further 
augmented with operator identifying information and 
transmitted to said second computer system; 

in said second registration processing, a list of unautho- 
rized operators matching commands and operators 
unauthorized to execute the respective commands is 
further registered; 

in said second authorization processing, said list of unau- 
thorized operators is referenced, and it is judged 
whether or not the operator whose command is aug- 
mented with identifying information is to be authorized 
to execute the command; and 

in said second execution processing, if it is judged by said 
second authorization processing that the operator is not 
be authorized to execute the command, the command is 
not executed. 

22. A program, as claimed in claim 19, wherein the 
operator that entered the command to be executed by the 
second computer system is an operator of the first computer 
system. 

23. A program, as claimed in claim 22, wherein the 
identifying information augmented with the command, as 
received by the second computer system, does not include 
any information identifying the operator but rather only 
identifies the group that the operator of the first computer 
system is a member of. 
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